lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 3 Jan 2016 16:12:50 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Executable installers/self-extractors are vulnerable^WEVIL
	(case 17): Kaspersky Labs utilities

Hi @ll,

quite some utilities offered for free by Kaspersky Lab load and execute
rogue/bogus DLLs (UXTheme.dll, HNetCfg.dll, RichEd20.dll, RASAdHlp.dll,
SetupAPI.dll, ClbCatQ.dll, XPSP2Res.dll, CryptNet.dll, OLEAcc.dll etc.)
eventually found in the directory they are started from (the "application

For software downloaded with a web browser the application directory is
typically the user's "Downloads" directory: see
and <> for "prior art"
about this well-known and well-documented vulnerability.

If one of the DLLs named above gets planted in the user's "Downloads"
directory per "drive-by download" or "social engineering" this
vulnerability becomes a remote code execution.

Due to the application manifest embedded in some of the executables
which specifies "requireAdministrator" or the installer detection of
Windows' user account control theses installers/self-extractors are
started with administrative privileges ("protected" administrators are
prompted for consent, unprivileged standard users are prompted for an
administrator password); execution of any hijacked DLL results in
an escalation of privilege!

See <> and
<> plus
<> and the still unfinished
<!execute.html> for more details and why
executable installers (and self-extractors too) are bad and should be

Kaspersky Lab published a security advisory 2015-12-23
after they made updated versions of their utilities available on

stay tuned
Stefan Kanthak

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists